I-Worm.Hadra This is an Internet worm that spreads via e-mails being attached as an EXE file. The worm copies itself to the Windows directory with the MSSERV.EXE name and registers that file in the Windows registry auto-run keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices msservice = %WinDir%\msserv.exe

The worm then stays in the Windows memory as a service, connects to MS Outlook and registers itself as MS Outlook "NewMail" and "ItemSend" events handler. When a new mail has arrived, the worm looks as if it is its own message from another infected machine, and then deletes it. When a message is being sent, the worm looks for already attached files, gets the first one, replaces it with its own copy with .EXE extenstion, and then sends it. If the message has no attachment, the worm attaches itself with eight bytes of a random name and .EXE extenstion. The worm disables several types of anti-virus protections, as well as immediately closes Registry editors upon their start-up.

Use antivirus (also check How To Remove section)Startup Opimizer for removal.